Embed Size (px)
Citation preview
Principles of Information Security, 2nd Edition 1
Law & Ethics, Policies & Guidelines, and Security Awareness
Principles of Information Security, 2nd Edition 2
Use this chapter as a guide for future reference on laws, regulations, and professional organizations
Differentiate between laws and ethics
Identify major national laws that relate to the practice of information security
Understand the role of culture as it applies to ethics in information security
Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines
Learning ObjectivesUpon completion of this material, you should be able to:
Principles of Information Security, 2nd Edition 3
Introduction
You must understand scope of an organization’s legal and ethical responsibilities
To minimize liabilities/reduce risks, the information security practitioner must:
Understand current legal environment
Stay current with laws and regulations
Watch for new issues that emerge
Principles of Information Security, 2nd Edition 4
Law and Ethics in Information Security
Laws: rules that mandate or prohibit certain societal behavior
Ethics: define socially acceptable behavior
Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on these
Laws carry sanctions of a governing authority; ethics do not
Principles of Information Security, 2nd Edition 5
Types of Law
Civil
Criminal
Tort
Private
Public
Principles of Information Security, 2nd Edition 6
Relevant U.S. Laws (General)
Computer Fraud and Abuse Act of 1986 (CFA Act)
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act of 1996
Communications Decency Act of 1996 (CDA)
Computer Security Act of 1987
Principles of Information Security, 2nd Edition 7
U.S. Copyright Law
Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats
With proper acknowledgement, permissible to include portions of others’ work as reference
U.S. Copyright Office Web site: www.copyright.gov
Principles of Information Security, 2nd Edition 8
State and Local Regulations
Restrictions on organizational computer technology use exist at international, national, state, local levels
Information security professional responsible for understanding state regulations and ensuring organization is compliant with regulations
Principles of Information Security, 2nd Edition 9
International Laws and Legal Bodies
European Council Cyber-Crime Convention:
Establishes international task force overseeing Internet security functions for standardized international technology laws
Attempts to improve effectiveness of international investigations into breaches of technology law
Well received by intellectual property rights advocates due to emphasis on copyright infringement prosecution
Lacks realistic provisions for enforcement
Principles of Information Security, 2nd Edition 10
United Nations Charter
Makes provisions, to a degree, for information security during information warfare (IW)
IW involves use of information technology to conduct organized and lawful military operations
IW is relatively new type of warfare, although military has been conducting electronic warfare operations for decades
Principles of Information Security, 2nd Edition 11
Policy Versus Law
Most organizations develop and formalize a body of expectations called policy
Policies serve as organizational laws
To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees
Principles of Information Security, 2nd Edition 12
Ethics and Information Security
Principles of Information Security, 2nd Edition 13
Ethical Differences Across Cultures
Cultural differences create difficulty in determining what is and is not ethical
Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another national group
Example: many of ways in which Asian cultures use computer technology is software piracy
Principles of Information Security, 2nd Edition 14
Ethics and Education
Overriding factor in leveling ethical perceptions within a small population is education
Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security
Proper ethical training vital to creating informed, well prepared, and low-risk system user
Principles of Information Security, 2nd Edition 15
Association of Computing Machinery (ACM)
ACM established in 1947 as “the world's first educational and scientific computing society”
Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property
Principles of Information Security, 2nd Edition 16
Computer Security Institute (CSI)
Provides information and training to support computer, networking, and information security professionals
Though without a code of ethics, has argued for adoption of ethical behavior among information security professionals
Principles of Information Security, 2nd Edition 17
Key U.S. Federal Agencies
Department of Homeland Security (DHS)
Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC)
National Security Agency (NSA)
U.S. Secret Service
Principles of Information Security, 2nd Edition 18
Information Security Policy, Standards and Practices
Communities of interest must consider policies as basis for all information security efforts
Policies direct how issues should be addressed and technologies used
Security policies are least expensive controls to execute but most difficult to implement
Shaping policy is difficult
Principles of Information Security, 2nd Edition 19
Definitions
Policy: course of action used by organization to convey instructions from management to those who perform duties
Policies are organizational laws Standards: more detailed statements of what must be
done to comply with policy Practices, procedures and guidelines effectively explain
how to comply with policy For a policy to be effective, must be properly
disseminated, read, understood and agreed to by all members of organization
Principles of Information Security, 2nd Edition 20
Principles of Information Security, 2nd Edition 21
Policy Management
Policies must be managed as they constantly change
To remain viable, security policies must have:
Individual responsible for reviews
A schedule of reviews
Method for making recommendations for reviews
Specific policy issuance and revision date
Principles of Information Security, 2nd Edition 22
Information Classification
Classification of information is an important aspect of policy
Policies are classified
A clean desk policy stipulates that at end of business day, classified information must be properly stored and secured
In today’s open office environments, may be beneficial to implement a clean desk policy
Principles of Information Security, 2nd Edition 23
Security Education, Training, and Awareness Program
As soon as general security policy exist, policies to implement security education, training and awareness (SETA) program should follow
SETA is a control measure designed to reduce accidental security breaches
Security education and training builds on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs securely
The SETA program consists of three elements: security education; security training; and security awareness
Principles of Information Security, 2nd Edition 24
Security Education
Everyone in an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security
When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education
A number of universities have formal coursework in information security
Principles of Information Security, 2nd Edition 25
Security Training
Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely
Management of information security can develop customized in-house training or outsource the training program
Principles of Information Security, 2nd Edition 26
Figure 5-15 – Spheres of Security
Principles of Information Security, 2nd Edition 27
Design of Security Architecture
Defense in depth Implementation of security in layers
Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls
Security perimeter Point at which an organization’s security protection ends
and outside world begins
Does not apply to internal attacks from employee threats or on-site physical threats
Principles of Information Security, 2nd Edition 28
Key Technology Components
Firewall: device that selectively discriminates against information flowing into or out of organization
Demilitarized zone (DMZ): no-man’s land between inside and outside networks where some organizations place Web servers
Intrusion Detection Systems (IDSs): in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS
Principles of Information Security, 2nd Edition 29
Figure 5-18 – Key Components
Principles of Information Security, 2nd Edition 30
Summary
Laws: rules that mandate or prohibit certain behavior in society; drawn from ethics
Ethics: define socially acceptable behaviors; based on cultural mores (fixed moral attitudes or customs of a particular group)
Types of law: civil, criminal, tort law, private, public
Management has essential role in development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines
